There is a lot of ambiguity as to what Zero Trust security actually is. Vendors, analysts, and other independents all have slightly different definitions, which has led to the term being stigmatized as a buzzword. There are so many different variations as well: Zero Trust Security, Zero Trust Networking, Zero Trust Network Access, Zero Trust Authentication, Zero Trust Application Access – the list is quite exhaustive.

What is Zero Trust Security?

Zero Trust is a network security model designed to handle the challenges of modern IT environments. The way businesses operate has changed; data is stored beyond corporate walls and limitless connections have given rise to remote working. The notion of having a fixed perimeter to protect IT assets is no longer effective, security needs to be dynamic and shift to where data, applications, users and devices are.

The purpose of Zero Trust is to eliminate implicit trust from the network, taking a deny-by-default position instead. Everything that requests access to a corporate service must undergo a strict verification process. There are no exceptions. It doesn’t matter whether a user is on-site or working remotely, if they’re using a corporate-owned device or personal smartphone, Zero Trust is about enforcing consistent security and access controls.

You’ve probably heard the phrase ‘never trust, always verify’. Zero Trust is built around authentication and authorization before access is granted.

Authentication: Strict verification of every individual is a user and the device they are using is secure is required when attempting to access resources on the corporate network.

Authorization: A policy of least-privilege access is enforced, giving users access to applications they have explicit permission to use. By restricting access lateral movement is prevented, limiting the blast radius of any potential breach.

Importantly, authentication and authorization isn’t a one-time occurrence, constant assessment is required to ensure that security compliance is met. If a threat is detected or a suspected, access to applications must be severed immediately, during the user’s session.

Why is identity important in Zero Trust?

Gartner, who coined the term Zero Trust Network Access (ZTNA), defines it as:

“ZTNA creates an identity and context-based, logical boundary around an application or set of applications. The applications are hidden from discovery and access is restricted via a trust broker. The broker verifies the identity, context and policy adherence of the specified participants before allowing access.”

Identity is considered a cornerstone of Zero Trust. A user’s level of permission should be directly tied to their identity. Rather than having groups with broad brush permissions, every user’s permissions need to be precisely controlled. Conversely it can’t be a laborious process of configuring each identity one by one, it needs to be able to scale using a centralized policy engine that can enforce across device types, applications and user groups, eliminating the need for point solutions.

Users should only have access to what they need to do their job, anything else should even be able to see, limiting the opportunity for unauthorized access. Under traditional access controls, if I really wanted to, I could navigate my way to the login pages for our HR platform and force my way in. With Zero Trust, I shouldn’t even have the opportunity to get to that login page, regardless of whether it is an on-premises or cloud application.

It’s not enough to trust someone with the right user credentials, they’re too easily stolen and end-user password hygiene is typically poor. We only need to look at the Twitter hack as a case study on weak Identity and Access Management (IAM). The wider context of an access request needs to be considered with the device health being an important component. A user’s identity should never vouch for the compliance of a device. Just because someone can prove who they are, doesn’t mean their device isn’t harboring malware or hasn’t been compromised in some capacity, take the Jeff Bezos phone hack
for example.

There are also contextual factors that need to be considered like geolocation. If Dave’s permanent location is New York, then why is he signing in from New Delhi? Context is becoming an increasingly important part of Zero Trust maturity. Both Forrester and Gartner suggest that for a successful Zero Trust implementation, a broader range of metrics need to be considered and shouldn’t be reliant on end-user identity.

The above can be broken down into five guiding principles for a Zero Trust strategy.

Zero Trust principles

Every vendor will have its own set of ‘principles’ that conveniently tie to the Zero Trust product they’re trying to sell, but there are commonalities:

Trust no one

The philosophy behind a Zero Trust network assumes that there are attackers both inside and outside of the physical network, so all users and devices must prove their trustworthiness. It ties in with the phrase ‘never trust, always verify’

Verify identity claims

The identity and authentication of an end-user is a cornerstone of Zero Trust security. Early forms of multi-factor authentication required users to enter a one-time use code in addition to their password to prove that they were who they claimed to be. More modern approaches to authentication use other forms of verification that are more streamlined and less onerous on the user, such as possession of a specific device or the use of a biometric identifier.

Do not ignore the device

In addition to strict controls on user access, Zero Trust Network Access systems must be device-aware and require assurances that every device is authorized. By denying connections from anonymous devices the attack surface is further minimized. More advanced Zero Trust security models incorporate a risk assessment of each device, leaving nothing to chance.

Give those you know what they need

Zero trust principles start from exactly that: zero. Users and devices receive no initial trust. Based on the results of user and device assessment, trust is extended, but only to the extent required. The result gives users only as much access as they need, which represents a clear application of the principle of least privilege. This minimizes each user’s exposure to sensitive parts of the network, reducing the impact that a breach can have on the organization.

Play zone defense

One way to think of Zero Trust is this – it creates and manages individualized perimeters containing two and only two members: a user and the application with which they’re interacting. Before connecting to an application, the user and device must authenticate and verify they have permission to access that specific application. For example, an organization with multiple applications being maintained by IT would use Zero Trust to force users, devices, or workloads to be authorized separately for each application they access.

Why has Zero Trust security emerged?

The traditional security methodology of the castle-and-moat approach typically uses location as an indicator of trust. For example, when you’re sitting in the office, the theory was you could be automatically trusted because you’ve gone through all the necessary badge checks to get into the office and access the network. Anything that sat inside the network perimeter could be trusted, and everything beyond treated as hostile.

The reality is, threats can still penetrate the network and move laterally, we only need to look at insider threats, malware and phishing attacks. The traditional, perimeter-based security model is further weakened by modern IT environments that have embraced cloud services and enabled a mobile workforce.

Cloud Adoption

Initially, the cloud was approached with caution. Outsourcing IT infrastructure to a third party means less control, which isn’t inherently a good thing in the infosec world. But now, the early skepticism of cloud has been overcome, and cloud adoption continues to grow, particularly in the wake of the COVID pandemic; 82% of IT leaders ramped up their usage of cloud since the shift to remote working.

Cloud computing changes the access and security dynamic for businesses. A distributed infrastructure means that perimeter-centric security technologies become ineffective. A firewall can’t protect a SaaS application as it isn’t hosted on the network it is protecting. So security and access controls need to shift to where the data, users and devices are.

Modern mobility

Enabling employees to work from anywhere brings productivity benefits. It doesn’t make sense for employees to be shackled to their workstations from 9-5 in order to get work done. However, modern mobility complicates security and access.

Anything beyond the network perimeter is considered hostile so how do you allow trusted users access to corporate resources? Remote access services like VPN, VDI, RDS, DaaS have all been used to enable remote users with access, but they all have their limitations and aren’t designed for mobile-first, cloud-heavy environments, nor do they provide robust security.

The past couple of decades have shown that the traditional security model isn’t appropriate for today’s business environment. We’ve seen major data breach after major data breach, forcing new regulations to be introduced and businesses of all sizes to reconsider their approach to security.

Zero Trust Stats

There are a number of market drivers behind Zero Trust, but there is research to back it up.

  • Enterprises already run 77% of their workloads in the cloud
  • 48% of respondents believe that contractors leave their company exposed to significant compliance risk
  • 77% of IT professionals believe that network segmentation can help prevent server compromise
  • Least privilege to be considered best practice by many CISOs, with 73% of them citing the implementation of least privilege as the top challenge
  • 66% of CISO identify visibility into structured data usage in the cloud as a critical challenge

You can find more stats on Zero Trust and the research supporting the use case here.

Zero Trust platforms and technologies

If you’re shopping around for a Zero Trust platform, you’ll soon find out it isn’t one single technology; Zero Trust is a security model requiring a holistic approach to network security and choosing a selection of technologies based on the aforementioned principles.

It’s important to note that there are multiple ways of deploying a Zero Trust model with two primary methods being a Software-Defined Perimeter and a Reverse Proxy.

A good starting point to understand the Zero Trust marketscape is the Gartner Market Guide for ZTNA which provides a thorough overview of the market, direction, use cases, technologies and recommendations for security and IT professionals.

Many businesses have started their Zero Trust projects with IAM services like Single Sign On (SSO) and Multifactor Authentication, centralizing identity directories to ease management as well as mitigate the need for users to manually re-authenticate during a session.

Additional resources

Your inbox is likely full of Zero Trust emails from Zero Trust vendors. For Zero Trust security alone, there are over 400k results on Google. So we’ve scoured the internet to find the best resources on Zero Trust: